Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FIXED JENKINS-43857] Mask Secret parameters in InputSubmittedAction #16

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

[FIXED JENKINS-43857] Mask Secret parameters in InputSubmittedAction #16

wants to merge 2 commits into from

Conversation

abayer
Copy link
Member

@abayer abayer commented Apr 26, 2017

JENKINS-43857

cc @reviewbybees

@abayer abayer requested a review from jglick April 26, 2017 13:48
@ghost
Copy link

ghost commented Apr 26, 2017

This pull request originates from a CloudBees employee. At CloudBees, we require that all pull requests be reviewed by other CloudBees employees before we seek to have the change accepted. If you want to learn more about our process please see this explanation.

jglick
jglick requested changes Apr 26, 2017
View reviewed changes
Copy link
Member

@jglick jglick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does not seem to solving an actual problem.

src/test/java/org/jenkinsci/plugins/workflow/support/steps/input/InputStepTest.java
@@ -122,7 +122,10 @@ public void parameter() throws Exception {

// make sure 'x' gets assigned to false
System.out.println(b.getLog());
assertTrue(b.getLog().contains("after: false"));
// TODO: Should we be masking Secrets?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well yes, that is the important problem to solve!

src/main/java/org/jenkinsci/plugins/workflow/support/steps/input/InputSubmittedAction.java
String k = entry.getKey();
Object v = entry.getValue();
if (v instanceof Secret) {
this.parameters.put(k, "******");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why? The plaintext cannot be recovered from build.xml without access to global keys anyway. PasswordParameterValue stores a Secret so why should we not do the same here?

@abayer
Copy link
Member Author

abayer commented Apr 26, 2017

I'll let @i386 comment since this was his concern.

@i386
Copy link

i386 commented Apr 27, 2017

Problem: If we serialize the contents of this Action via Staplers export mechanism then would we be leaking secrets?

@jglick jglick mentioned this pull request Jan 3, 2022
Open
2 tasks
@jglick jglick marked this pull request as draft January 3, 2022 22:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jglick jglick jglick requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@abayer @i386 @jglick